5.7 QRadar Custom DSM Part 2

00:00

No, let's continue where we left off it. Now, what can we do here? We can actually go and say we're going to do Ah, you search right.

00:10

And instead of using the search we had in the beginning, you can do like, let's say, far wall.

00:19

You know, I have a destination poor and get loaded

00:22

insurgent.

00:24

Let's see what I found

00:29

and let's see if it triggers. Ah doesn't recognize this pf sentence of firewall. So that's something else. We have to modify a swell and apologize for that.

00:39

Here we go.

00:42

See, It's now detecting this nation. I, p's,

00:45

um, based on information you're going to see source like Peter Multiple. That's a nation. I ps this one. You can actually hope her over it.

00:55

And you see the little aereo It's Ah,

00:58

Darryl is

01:00

okay, So what can we do here is Let's open actually a regular search, Right?

01:07

Let's go to lock activity itself. Refresh it.

01:11

There you go. And this is okay. We can modify the search. Obviously, in order to remove these, we have to go back. Eddie to search and remove the D variables from the columns are throwing right

01:25

the same way we had of them were moving. Now that's what I want to show you. Is that one of the good things about doing the D S M right? It's self mortification is that now you can see what source I p's or what. It's trying to connect to your network. And it's where you got, like, Why do I have connection from,

01:42

you know, Canada? Why do I have connections from I'm not even sure

01:46

Sorry, I'm not good with flags. Uh,

01:49

Russia. See, It's not good on then. Obviously, you see destination so you can see Obviously, you know, in this case, you can come and let it run or you can say, OK, let's see. Wonder the last 30 minutes. What do we see?

02:07

You can see here.

02:07

Um, Russia, Russia, Russia. You see Canada, Montreal to be more precise, he just are exploring why these eyepieces are trying to hit you or what purpose they're trying to hit you or what? Already? Really. And you can Come on, let's say,

02:29

uh, copy it right

02:31

right here.

02:35

And then you can come to income to, let's say old tools and taken I p and see who is that I p

02:44

and this isn't right. Nap. All right.

02:46

And sorry. Access for your houses, your grill, It already

02:52

a sense of Courtney. Even I have quite ones. Whatever gets its space in its searching, Another tool. And here, for example, I'd like to

03:00

the black list checking this I p

03:06

You see, it's a blacklisted I p

03:08

from Russia trying to come to your network. Oh, not good, right? It is the type of things you would not see.

03:21

Um, unless you do your lap. And this is one of the great benefits you have from this. Now, you can go to your firewall. You can add a blacklist of this like P.

03:30

You can make sure. I mean, we already make sure the validity that we scan patch everything and these are some of the great benefits will gain from the lab.

03:40

We get the top notch security that we always wanted. Okay. And that's pretty much for curator. I don't want to go too deep into curator. I don't want to bore you too much because there's other tools. And remember, this is not a curator course. It's just a lap. And I was I did have to get this deep

04:00

to show you deficiency of it and how to get it value up your lab when it comes to security. Right? We do have a lot more things. And curator, obviously you have the app exchange, right? And let me show you that road. So IBM it changes right here. Exchange that X force and I mean cloud, come or you can literally search

04:20

in Google Ivy and Maps Church, and you'll come here. You will require an account. I believe it's free to register.

04:28

Or you can you actually use the same account you used to register for downloading Curator. And you can see here there's different options. It's not only curator, so make sure you check the curator box on the left and you can see domain tool for IBM, which is, um, really good tool.

04:46

Ah, protecting eyepieces, actually fairly recently updated. And that's really good. I may actually install this in my appliance itself. I love the main tools

04:59

you can see you have pulled. You have used her behavioral analysis is or, you know, when you have a lot of people around, you're gonna see semantic. For example, one of the vendors, right? Cemented email. You have advice? What wants? Ana? This is more of a paid premier. See option. Um,

05:16

you're gonna have ah, long tool right here on here somewhere. It's 23 pages, right? So you won't be able to see everything you have. Edie, are from ah crowdstrike,

05:27

right? Our next year out of IRS, um, recorded future.

05:32

It's really good and going to see a now you're jumping into both curator APS for Splunk, for example. So this is, for example, I send ah, locks from

05:44

my far wall to curator and then the curator to Splunk. If you only have, for example, one option in this case we saw already that, um

05:53

we can configure both

05:55

lox versus in our system for NPR sense.

05:58

But many enterprises, I don't only try to consolidate and then for it. So our have two systems and they use this. It's there because you need it. Ah, intelligence. You have TNF analyzer

06:13

because you want to see a little bit more information. I have polls Post looks really cool. I'll be honest with you. Actually, let me go in there and it shows you kind of a threat ma'am of, um,

06:24

how it looks, right, And you can see here Ln your scroll forward,

06:29

he looks like a tramp map off where the connections are coming for him again. If you want to put it that way, See?

06:34

And it is really good. Especially the bigger the network, the more fun you have. And it's a great tool to show your manager's your executives and how, Luke, How are threats are coming from, right? Um, it's a really cool plug in

06:49

for that threat. Intelligence Information Incident Review. This is more kind of the pool spot for you as an analyst. It will basically lim actually click on it to figure out or connect the dots on what the most freaking events are. And that way you can start fighting to know locators or something else that's giving you a lot of problems. Okay,

07:10

um, because you have all of those seconds A lot of tools that are here for you.

07:15

Most of the curator ones are tend to be free. Um, if you do see vendor related ones, um,

07:23

normally they do require to you to have the product. If you have the product or you come across a product and you have it in your lap or you having your enterprise that most likely that you can also drew. And that will be a wrap up like mentioned for a curator at the whole. Sorry I extended to show you this I just think,

07:42

really provides a good value for you as you want to expand

07:45

or increase year lab itself.

07:49

So what they will learn today we create a custom the F sin for P f sense. There plenty of advantages for you doing this over custom properties. One of those is that even correlation will be more precise than when you're actually using custom properties. As we saw on our example,

08:09

if you don't utilize discussed India Cem,

08:11

our source i p will be 1 92.1 68 That one That one is that of the source I p that's trying to target

08:20

aren't network.

08:22

We were also able to see that one. We utilized the custom de ascend. We were able to identify the

08:31

source country for eyepiece and swell as a destination country region for our destination. I peace within each and every event lock that contain this information

08:45

this showed very beneficial as resource and connections from out of the country that we're blacklisted and additional steps must now be taken in order to properly secure our network.

08:56

Without this pf sense to curator integration, we should have not been able to see this and therefore not see the risk within our network.

09:05

We can say that this is basically a mission accomplished

09:07

as we were able to protect our network from threats that we're not aware existed. Up to this point

09:16

in our Max lesson, it will actually jump over our next model. And we'll do a very basic, beloved city scanning introduction utilizing next pose.